commit f8424999a2a08dc2062bacc87facba1cd188f219
author Vadim Caen <caen@google.com> Tue Dec 03 14:54:07 2024 +0100
committer Inseob Kim <inseob@google.com> Mon Jan 13 19:51:59 2025 -0800
tree 25f8d18a13f48482204efcbff1065fa3c897f628
parent 53cba3ef311c149968f91736918b7cb14f7ca85a

Expose virtual_camera types to vendor

Virtual Camera requires access to the GPU and many vendors faced issues
because they could not extends the sepolicy of virtual_camera to match
the architecture of their graphic stack.

This will allow them to define their own rules for virtual_camera

Test: builds, Virtual Camera CTS
Bug: 382029007
Change-Id: I29009f8d0423667030228dc5978b49501715a9f0
Merged-In: I29009f8d0423667030228dc5978b49501715a9f0

private/compat/202404/202404.ignore.cil

diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 91ca88f..c10b0d5 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -27,6 +27,8 @@
     sysfs_firmware_acpi_tables
     tee_service_contexts_file
     trusty_security_vm_sys_vendor_prop
+    virtual_camera
+    virtual_camera_exec
     virtual_face
     virtual_face_exec
     virtual_fingerprint

private/virtual_camera.te

diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 31eadb2..9b64c63 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -1,7 +1,10 @@
 # virtual_camera - virtual camera daemon
 
-type virtual_camera, domain, coredomain;
-type virtual_camera_exec, system_file_type, exec_type, file_type;
+# The types are moved to public starting at 202502
+until_board_api(202504, `
+    type virtual_camera, domain, coredomain;
+    type virtual_camera_exec, system_file_type, exec_type, file_type;
+')
 
 init_daemon_domain(virtual_camera)
 

public/virtual_camera.te

diff --git a/public/virtual_camera.te b/public/virtual_camera.te
new file mode 100644
index 0000000..1c9e9d6
--- /dev/null
+++ b/public/virtual_camera.te
@@ -0,0 +1,10 @@
+# virtual_camera - virtual camera daemon
+
+starting_at_board_api(202504, `
+    type virtual_camera, domain, coredomain;
+    type virtual_camera_exec, system_file_type, exec_type, file_type;
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.